On Wed, 2008-07-30 at 16:53 +0200, Richard Hartmann wrote: > Hi all, > > as you are very likely all aware, Dan Kaminsky uncovered a major exploit > in RFC-compliant DNS caching servers the successful execution of which > relies on port prediction/guessing. > > After quite some research, I have come up with the following facts which > I want to cross-check with you guys so I can be _sure_. > > > 1) The --random target for SNAT exists since 2.6.22 to allow 'fixing' of > broken DNS servers in your NATted LAN along the lines of > > iptables -t nat -I POSTROUTING 1 -p udp -s 1.2.3.4 --dport 53 -j SNAT \ > --to 1.2.3.4 --random > > Is that correct? One of the main points of the Kaminsky exploits allegedly is (but who knows for sure, it hasn't been published yet) that the bind people weren't using a cryptographically secure random number generator for the transaction ids (which aren't affected by SNAT I gather) and the fixed but random query source port. Sure they also didn't change the query source port for each query, but the question is if this is really the most important part of the equation. I rather suspect that the random32 generator in the Linux kernel is not cryptographically secure, and you will not be changing the transaction ids. The question therefore is if you will really gain a lot of security with respect to the exploit in question. Hmm.. We'll know next week :) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
